Carnival Corporation is facing several lawsuits after a reported data breach that may have exposed personal information belonging to millions of customers, raising concerns about how the company protects sensitive data.

According to multiple industry and cybersecurity reports, the breach, linked to the hacking group ShinyHunters, allegedly compromised up to 8.7 million records, including names, dates of birth, and email addresses tied to loyalty programs operated by Carnival subsidiaries.

The company said it identified unauthorized activity involving a single user account and acted quickly to block access, notify law enforcement, and bring in external cybersecurity experts to investigate the incident. 

Despite Carnival’s statement that the breach may have been limited, reports that a large dataset has been published online have led to multiple lawsuits in the United States. One case, Burling v. Carnival Corporation, was filed in April 2026 in Florida and could be the first of several legal actions. 

Legal experts say the lawsuits will likely examine whether Carnival had proper safeguards in place and how it handled the breach once it was discovered. Similar cases in the past have resulted in settlements, including a $1.25 million multistate agreement related to an earlier Carnival data incident. 

Cybersecurity analysts point out that large travel companies are frequent targets for hacking groups because they store extensive customer data across multiple brands. Groups such as ShinyHunters often focus on loyalty program databases due to their high value. 

Carnival has not confirmed the full scale of the breach, saying the investigation is ongoing, but the situation could lead to further legal and financial impact as more details emerge.